DHS Highlights Common Security Oversights by Office 365 Customers
As organizations migrate to Microsoft Office 365 and other cloud services, many fail to use proper configurations that ensure good security practices, the U.S. Department of Homeland Security's (DHS) Cybersecurity and Infrastructure Security Agency (CISA) warns.
Improperly configured cloud services create risks and vulnerabilities and the root cause of this issue is often the use of third-party firms to migrate to cloud, which resulted in a mix of configurations that lowered the organizations’ security posture.
In addition, CISA says, most of the organizations that used a third-party did not have a dedicated IT security team to focus on their security in the cloud. Combined, these oversights have led to user and mailbox compromises and vulnerabilities.
According to CISA, customers who used third-parties to migrate email services to Office 365 did not have multi-factor authentication enabled by default for administrator accounts, had mailbox auditing disabled and password sync enabled, and allowed for the use of legacy protocols that did not support authentication.
Although Azure Active Directory (AD) Global Administrators have the highest level of administrator privileges at the tenant level in an Office 365 environment, multi-factor authentication (MFA) is not enabled by default for these accounts, CISA points out.
There is a policy available, but it needs to be explicitly enabled to turn on MFA for these accounts, which are exposed to the Internet because they are based in the cloud. Failing to secure them could allow an attacker to maintain persistence as a customer migrates users to O365.
Mailbox auditing, which logs the actions of mailbox owners, delegates, and administrators, was not enabled by default in Office 365 prior to January 2019 and customers had to explicitly enable it.
Unified audit log, which contains events from Exchange Online, SharePoint Online, OneDrive, Azure AD, Microsoft Teams, PowerBI, and other O365 services is not enabled by default in Office 365 environments. Admins must enable the unified audit log in the Security and Compliance Center.
Another issue is the syncing of passwords between Azure AD identities and on-premises AD identities, which could result in the Azure AD password for an admin account being overwritten with that for an on-premises account with the same username. Thus, an attacker could move laterally to the cloud.
While Microsoft disabled the option to match certain administrator accounts as of October 2018, organizations might still have administrator account on which they performed matching prior to the change, and synced identities that may be have been compromised prior to migration, CISA says.
Another issue is the existence of Exchange Online authentication protocols that lack support for modern authentication methods with MFA features, including Post Office Protocol (POP3), Internet Message Access Protocol (IMAP), and Simple Mail Transport Protocol (SMTP).
Older email clients that use such protocols do not support modern authentication, but are a business necessity for some organizations. Thus, with legacy protocols not disabled, email accounts remain exposed to the Internet with only the username and password as the primary authentication method.
To mitigate the issue, an organization should inventory users who still require legacy email clients and legacy email protocols and use Azure AD Conditional Access policies to reduce the number of such users, thus effectively reducing the attack surface.
Organizations recommend that admins implement multi-factor authentication, enable unified audit logging in the Security and Compliance Center and mailbox auditing for each user, ensure Azure AD password sync is planned for and configured correctly, and disable legacy email protocols, if not required.
Related: Office 365, Outlook Credentials Most Targeted by Phishing Kits
Related: Phishers Use Zero-Width Spaces to Bypass Office 365 Protections
Related: Hackers Bypass MFA on Cloud Accounts via IMAP Protocol
Ionut Arghire is an international correspondent for SecurityWeek.
Tags: 
Gloss